Sandboxing for containers

Even when user namespaces are fully implemented, there remains the concern that containers share an OS with the host, and may be able to exploit syscall vulnerabilities (in particular) to gain access to and privilege in the host.

Historically, relatively new syscalls in particular, have ended up with vulnerabilities which a container would be able to exploit.

Related branches

Related bugs

Sprints

Whiteboard

Status: not yet started
The seccomp2 patch in the oneiric kernel supports execve, but is not yet upstream. There is a minijail0 POC general sandbox tool which works on precise and could be packaged. LXC support for seccomp2 should be possible.